Whitelist runuser common (#3286)

* introduce whitelist-runuser-common.inc

 * If an applications does not need a whitelist it can/should be
   nowhitelisted. Example:

     nowhitelist ${RUNUSER}/pulse
     include whitelist-runuser-common.inc

 * ${RUNUSER}/bus is inaccessible with nodbus regardless of the
   whitelist. (as it should)

 * strange wayland setups with an second wayland-compostior need to
   whitelist ${RUNUSER}/wayland-1, ${RUNUSER}/wayland-2 and so on.

 * some display-manager store there Xauthority file in ${RUNUSER}.
   test results with fedora 31:
   - ssdm: ~/.Xauthority is used
   - lightdm: /run/lightdm/USER/Xauthority
   - gdm: /run/user/UID/gdm/Xauthority

 * IMPORTANT: ATM we can only enable this for non-graphical and GTK3
   programs because mutter (GNOMEs window-manger) stores the Xauthority
   file for Xwayland under /run/user/UID/.mutter-Xwaylandauth.XXXXXX
   where XXXXXX is random. Until we have whitelist globbing we can't
   whitelist this file. QT/KDE and other toolkits without full wayland
   support won't be able to start.

* wru update 1

- add wru to more profiles.
- blacklist ${RUNUSER} works for the most cli programs too.

* add wruc to more profiles

* fixes

* fixes

* wruc: hide pulse pid

* update

* remove wruc from all the x11 profiles

* fixes

* fix ordering

* read-only

* revert read-only

* update

* 

74 files changed, 116 insertions, 12 deletions

diff --git a/RELNOTES b/RELNOTES
index 584942853..b982202d6 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -3,6 +3,7 @@ firejail (0.9.63) baseline; urgency=low
   * DHCP client support
   * SELinux labeling support
   * 32-bit seccomp filter
+  * restrict ${RUNUSER} in serveral profiles
   * new condition: HAS_NOSOUND
   * new profiles: gfeeds, firefox-x11, tvbrowser, rtv, clipgrab, muraster
   * new profiles: gnome-passwordsafe, bibtex, gummi, latex, mupdf-x11-curl
diff --git a/etc/baobab.profile b/etc/baobab.profile
index d87de9d66..a2cfa6d67 100644
--- a/etc/baobab.profile
+++ b/etc/baobab.profile
@@ -14,6 +14,8 @@ include disable-passwdmgr.inc
 # include disable-programs.inc
 # include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 net none
 no3d
diff --git a/etc/celluloid.profile b/etc/celluloid.profile
index d099ba11e..daed19634 100644
--- a/etc/celluloid.profile
+++ b/etc/celluloid.profile
@@ -24,6 +24,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/curl.profile b/etc/curl.profile
index a720aca9b..a33d084ce 100644
--- a/etc/curl.profile
+++ b/etc/curl.profile
@@ -10,6 +10,8 @@ include globals.local
 noblacklist ${HOME}/.curlrc
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/d-feet.profile b/etc/d-feet.profile
index 897bf5f5d..51df7b455 100644
--- a/etc/d-feet.profile
+++ b/etc/d-feet.profile
@@ -24,6 +24,7 @@ mkdir ${HOME}/.config/d-feet
 whitelist ${HOME}/.config/d-feet
 whitelist /usr/share/d-feet
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/dconf-editor.profile b/etc/dconf-editor.profile
index a9d25128f..e7cc66e32 100644
--- a/etc/dconf-editor.profile
+++ b/etc/dconf-editor.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist ${HOME}/.local/share/glib-2.0
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/dig.profile b/etc/dig.profile
index e6b7e46d9..270a95c05 100644
--- a/etc/dig.profile
+++ b/etc/dig.profile
@@ -11,6 +11,8 @@ noblacklist ${HOME}/.digrc
 noblacklist ${PATH}/dig
 
 blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 # include disable-devel.inc
diff --git a/etc/elinks.profile b/etc/elinks.profile
index 82d1ba528..2a306d704 100644
--- a/etc/elinks.profile
+++ b/etc/elinks.profile
@@ -18,6 +18,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/enchant.profile b/etc/enchant.profile
index fa556c7d2..69e8b1e44 100644
--- a/etc/enchant.profile
+++ b/etc/enchant.profile
@@ -21,6 +21,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.config/enchant
 whitelist ${HOME}/.config/enchant
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/eo-common.profile b/etc/eo-common.profile
index 13f498c03..80c704c6b 100644
--- a/etc/eo-common.profile
+++ b/etc/eo-common.profile
@@ -18,6 +18,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/evince.profile b/etc/evince.profile
index 143a347e6..68ef5eb9a 100644
--- a/etc/evince.profile
+++ b/etc/evince.profile
@@ -21,6 +21,7 @@ whitelist /usr/share/doc
 whitelist /usr/share/evince
 whitelist /usr/share/poppler
 whitelist /usr/share/tracker
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/evolution.profile b/etc/evolution.profile
index 71a7a5600..4740bf935 100644
--- a/etc/evolution.profile
+++ b/etc/evolution.profile
@@ -23,6 +23,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 # no3d breaks under wayland
diff --git a/etc/feedreader.profile b/etc/feedreader.profile
index 5a72b60ea..7d3c7a8f4 100644
--- a/etc/feedreader.profile
+++ b/etc/feedreader.profile
@@ -23,6 +23,7 @@ whitelist ${HOME}/.cache/feedreader
 whitelist ${HOME}/.local/share/feedreader
 whitelist /usr/share/feedreader
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/file-roller.profile b/etc/file-roller.profile
index 9d84f07de..70dd030ee 100644
--- a/etc/file-roller.profile
+++ b/etc/file-roller.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /usr/share/file-roller
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/file.profile b/etc/file.profile
index 82b161d48..854586354 100644
--- a/etc/file.profile
+++ b/etc/file.profile
@@ -8,6 +8,7 @@ include file.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-exec.inc
diff --git a/etc/filezilla.profile b/etc/filezilla.profile
index d8d4c1746..6c7ab8f0d 100644
--- a/etc/filezilla.profile
+++ b/etc/filezilla.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-devel.inc
 include disable-interpreters.inc
 include disable-programs.inc
+
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/flameshot.profile b/etc/flameshot.profile
index 3aad9723b..9a3df98f4 100644
--- a/etc/flameshot.profile
+++ b/etc/flameshot.profile
@@ -17,6 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gedit.profile b/etc/gedit.profile
index a4471077a..148b98c99 100644
--- a/etc/gedit.profile
+++ b/etc/gedit.profile
@@ -19,6 +19,7 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 # apparmor - makes settings immutable
diff --git a/etc/gfeeds.profile b/etc/gfeeds.profile
index d332c1bbe..7de762e0d 100644
--- a/etc/gfeeds.profile
+++ b/etc/gfeeds.profile
@@ -29,6 +29,7 @@ whitelist ${HOME}/.cache/org.gabmus.gfeeds
 whitelist ${HOME}/.config/org.gabmus.gfeeds.json
 whitelist /usr/share/gfeeds
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gitg.profile b/etc/gitg.profile
index 3c6f9d72f..68f38c3ce 100644
--- a/etc/gitg.profile
+++ b/etc/gitg.profile
@@ -28,6 +28,7 @@ include disable-programs.inc
 #include whitelist-common.inc
 
 whitelist /usr/share/gitg
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gjs.profile b/etc/gjs.profile
index 85dd57f29..9c8848b8a 100644
--- a/etc/gjs.profile
+++ b/etc/gjs.profile
@@ -22,6 +22,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-builder.profile b/etc/gnome-builder.profile
index eaf48931d..7a684dd59 100644
--- a/etc/gnome-builder.profile
+++ b/etc/gnome-builder.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 ipc-namespace
 netfilter
diff --git a/etc/gnome-calculator.profile b/etc/gnome-calculator.profile
index 6709a331e..627ae368a 100644
--- a/etc/gnome-calculator.profile
+++ b/etc/gnome-calculator.profile
@@ -16,6 +16,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-characters.profile b/etc/gnome-characters.profile
index f02fe13f6..77b0c3c15 100644
--- a/etc/gnome-characters.profile
+++ b/etc/gnome-characters.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/org.gnome.Characters
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-clocks.profile b/etc/gnome-clocks.profile
index 025335a23..b865423c5 100644
--- a/etc/gnome-clocks.profile
+++ b/etc/gnome-clocks.profile
@@ -17,6 +17,7 @@ include disable-xdg.inc
 whitelist /usr/share/gnome-clocks
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-contacts.profile b/etc/gnome-contacts.profile
index ac6d82451..7c1e4bb58 100644
--- a/etc/gnome-contacts.profile
+++ b/etc/gnome-contacts.profile
@@ -17,6 +17,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/gnome-hexgl.profile b/etc/gnome-hexgl.profile
index 386c33d7f..a06ccc9c1 100644
--- a/etc/gnome-hexgl.profile
+++ b/etc/gnome-hexgl.profile
@@ -15,9 +15,8 @@ include disable-programs.inc
 include disable-xdg.inc
 
 mkdir ${HOME}/.cache/mesa_shader_cache
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/wayland-0
 whitelist /usr/share/gnome-hexgl
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-latex.profile b/etc/gnome-latex.profile
index 1bf48c6ab..ea4151137 100644
--- a/etc/gnome-latex.profile
+++ b/etc/gnome-latex.profile
@@ -22,6 +22,7 @@ include disable-programs.inc
 whitelist /usr/share/gnome-latex
 whitelist /usr/share/perl5
 whitelist /usr/share/texlive
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 # May cause issues.
 #include whitelist-var-common.inc
diff --git a/etc/gnome-logs.profile b/etc/gnome-logs.profile
index 0c5bec144..31b7cfb4f 100644
--- a/etc/gnome-logs.profile
+++ b/etc/gnome-logs.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 whitelist /var/log/journal
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-maps.profile b/etc/gnome-maps.profile
index 12415a937..bf263efa9 100644
--- a/etc/gnome-maps.profile
+++ b/etc/gnome-maps.profile
@@ -35,6 +35,7 @@ whitelist ${PICTURES}
 whitelist /usr/share/gnome-maps
 whitelist /usr/share/libgweather
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-music.profile b/etc/gnome-music.profile
index 9c3131162..36b46897c 100644
--- a/etc/gnome-music.profile
+++ b/etc/gnome-music.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-nettool.profile b/etc/gnome-nettool.profile
index d15299890..649473679 100644
--- a/etc/gnome-nettool.profile
+++ b/etc/gnome-nettool.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/gnome-nettool
 #include whitelist-common.inc -- see #903
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-passwordsafe.profile b/etc/gnome-passwordsafe.profile
index de8f6ad7d..555a59d93 100644
--- a/etc/gnome-passwordsafe.profile
+++ b/etc/gnome-passwordsafe.profile
@@ -21,13 +21,9 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/bus
-# If you have a second wayland compositor, whitelist its socket here.
-whitelist ${RUNUSER}/wayland-0
-whitelist ${RUNUSER}/gdm/Xauthority
-
 whitelist /usr/share/cracklib
 whitelist /usr/share/passwordsafe
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-photos.profile b/etc/gnome-photos.profile
index c28217efb..2af406af9 100644
--- a/etc/gnome-photos.profile
+++ b/etc/gnome-photos.profile
@@ -17,6 +17,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-schedule.profile b/etc/gnome-schedule.profile
index c8dd8ead7..55913a2d7 100644
--- a/etc/gnome-schedule.profile
+++ b/etc/gnome-schedule.profile
@@ -39,6 +39,7 @@ whitelist /usr/share/gnome-schedule
 whitelist /var/spool/atd
 whitelist /var/spool/cron
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gnome-screenshot.profile b/etc/gnome-screenshot.profile
index c00aefdb7..cc5efb161 100644
--- a/etc/gnome-screenshot.profile
+++ b/etc/gnome-screenshot.profile
@@ -17,11 +17,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
-whitelist ${RUNUSER}/bus
-whitelist ${RUNUSER}/pulse
-whitelist ${RUNUSER}/gdm/Xauthority
-whitelist ${RUNUSER}/wayland-0
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/gnome-weather.profile b/etc/gnome-weather.profile
index 10db6296b..a181f1b9e 100644
--- a/etc/gnome-weather.profile
+++ b/etc/gnome-weather.profile
@@ -21,6 +21,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/gpg-agent.profile b/etc/gpg-agent.profile
index 16bda186e..adc8957e6 100644
--- a/etc/gpg-agent.profile
+++ b/etc/gpg-agent.profile
@@ -21,9 +21,12 @@ include disable-xdg.inc
 
 mkdir ${HOME}/.gnupg
 whitelist ${HOME}/.gnupg
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gpg.profile b/etc/gpg.profile
index b408a0123..787f35f9e 100644
--- a/etc/gpg.profile
+++ b/etc/gpg.profile
@@ -18,9 +18,12 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/pacman/keyrings
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/gucharmap.profile b/etc/gucharmap.profile
index b3aa58d29..f3e3ab14d 100644
--- a/etc/gucharmap.profile
+++ b/etc/gucharmap.profile
@@ -15,6 +15,7 @@ include disable-programs.inc
 include disable-xdg.inc
 
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/highlight.profile b/etc/highlight.profile
index 036de8d99..fc8b2f65a 100644
--- a/etc/highlight.profile
+++ b/etc/highlight.profile
@@ -7,6 +7,7 @@ include highlight.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/latex-common.profile b/etc/latex-common.profile
index 712ada722..84901e8ef 100644
--- a/etc/latex-common.profile
+++ b/etc/latex-common.profile
@@ -14,6 +14,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 
 whitelist /var/lib
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/less.profile b/etc/less.profile
index 00624e0f1..27e24c852 100644
--- a/etc/less.profile
+++ b/etc/less.profile
@@ -8,6 +8,7 @@ include less.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${HOME}/.lesshst
 
diff --git a/etc/links.profile b/etc/links.profile
index a31001c87..b2f94d3cf 100644
--- a/etc/links.profile
+++ b/etc/links.profile
@@ -24,6 +24,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.links
 whitelist ${HOME}/.links
 whitelist ${DOWNLOADS}
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/lynx.profile b/etc/lynx.profile
index fb6fe94ec..dbd0a61e5 100644
--- a/etc/lynx.profile
+++ b/etc/lynx.profile
@@ -16,6 +16,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/meld.profile b/etc/meld.profile
index 9a320c13d..be13e9643 100644
--- a/etc/meld.profile
+++ b/etc/meld.profile
@@ -36,6 +36,8 @@ include disable-passwdmgr.inc
 # Uncomment the next line (or put it into your meld.local) if you don't need to compare files in disable-programs.inc.
 #include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 # Uncomment the next lines (or put it into your meld.local) if you don't need to compare files in /usr/share.
 #whitelist /usr/share/meld
 #include whitelist-usr-share-common.inc
diff --git a/etc/mutt.profile b/etc/mutt.profile
index 1fc412955..8ff547b52 100644
--- a/etc/mutt.profile
+++ b/etc/mutt.profile
@@ -40,6 +40,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/newsboat.profile b/etc/newsboat.profile
index e063abe53..eabd17b4b 100644
--- a/etc/newsboat.profile
+++ b/etc/newsboat.profile
@@ -19,6 +19,7 @@ include disable-xdg.inc
 mkdir ${HOME}/.newsboat
 whitelist ${HOME}/.newsboat
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/nslookup.profile b/etc/nslookup.profile
index 40cb3b6d8..4aa1cfcbf 100644
--- a/etc/nslookup.profile
+++ b/etc/nslookup.profile
@@ -7,6 +7,10 @@ include nslookup.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 noblacklist ${PATH}/nslookup
 
 include disable-common.inc
diff --git a/etc/pandoc.profile b/etc/pandoc.profile
index 9a8d82a96..9117b0c07 100644
--- a/etc/pandoc.profile
+++ b/etc/pandoc.profile
@@ -8,6 +8,7 @@ include pandoc.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/patch.profile b/etc/patch.profile
index 4a3365378..95c92a3f5 100644
--- a/etc/patch.profile
+++ b/etc/patch.profile
@@ -8,6 +8,7 @@ include patch.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/pdftotext.profile b/etc/pdftotext.profile
index 73ebf4615..a7112f1e8 100644
--- a/etc/pdftotext.profile
+++ b/etc/pdftotext.profile
@@ -7,6 +7,7 @@ include pdftotext.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/ping.profile b/etc/ping.profile
index 75ad0ee31..3ef8ad64a 100644
--- a/etc/ping.profile
+++ b/etc/ping.profile
@@ -7,6 +7,10 @@ include ping.local
 # Persistent global definitions
 include globals.local
 
+blacklist /tmp/.X11-unix
+blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
diff --git a/etc/pitivi.profile b/etc/pitivi.profile
index 71032f2ee..c722e29b4 100644
--- a/etc/pitivi.profile
+++ b/etc/pitivi.profile
@@ -6,7 +6,6 @@ include pitivi.local
 # Persistent global definitions
 include globals.local
 
-
 noblacklist ${HOME}/.config/pitivi
 
 # Allow python (blacklisted by disable-interpreters.inc)
@@ -20,6 +19,7 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/pngquant.profile b/etc/pngquant.profile
index f9ce43c4c..4695eee71 100644
--- a/etc/pngquant.profile
+++ b/etc/pngquant.profile
@@ -16,6 +16,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
 apparmor
diff --git a/etc/polari.profile b/etc/polari.profile
index 939e2537e..87a53775f 100644
--- a/etc/polari.profile
+++ b/etc/polari.profile
@@ -28,6 +28,7 @@ whitelist ${HOME}/.local/share/TpLogger
 whitelist ${HOME}/.local/share/telepathy
 whitelist ${HOME}/.purple
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 netfilter
diff --git a/etc/remmina.profile b/etc/remmina.profile
index e85ceca13..6311c91df 100644
--- a/etc/remmina.profile
+++ b/etc/remmina.profile
@@ -19,6 +19,7 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
 include whitelist-var-common.inc
 
 caps.drop all
diff --git a/etc/rhythmbox.profile b/etc/rhythmbox.profile
index aff8b08e3..689fbe626 100644
--- a/etc/rhythmbox.profile
+++ b/etc/rhythmbox.profile
@@ -25,6 +25,7 @@ include disable-xdg.inc
 whitelist /usr/share/rhythmbox
 whitelist /usr/share/lua
 whitelist /usr/share/libquvi-scripts
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/rsync-download_only.profile b/etc/rsync-download_only.profile
index 84147f0a5..500656a4b 100644
--- a/etc/rsync-download_only.profile
+++ b/etc/rsync-download_only.profile
@@ -14,6 +14,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/seahorse.profile b/etc/seahorse.profile
index 5a742d05f..3a69086b5 100644
--- a/etc/seahorse.profile
+++ b/etc/seahorse.profile
@@ -31,7 +31,10 @@ whitelist /usr/share/gnupg
 whitelist /usr/share/gnupg2
 whitelist /usr/share/seahorse
 whitelist /usr/share/seahorse-nautilus
+whitelist ${RUNUSER}/gnupg
+whitelist ${RUNUSER}/keyring
 #include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/shellcheck.profile b/etc/shellcheck.profile
index 7b4041222..fb43c61e4 100644
--- a/etc/shellcheck.profile
+++ b/etc/shellcheck.profile
@@ -8,6 +8,7 @@ include shellcheck.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 noblacklist ${DOCUMENTS}
 
diff --git a/etc/ssh.profile b/etc/ssh.profile
index 1551c3fb6..cbd59c6e0 100644
--- a/etc/ssh.profile
+++ b/etc/ssh.profile
@@ -18,7 +18,10 @@ include disable-exec.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+whitelist ${RUNUSER}/keyring/ssh
+whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
 include whitelist-usr-share-common.inc
+include whitelist-runuser-common.inc
 
 caps.drop all
 ipc-namespace
diff --git a/etc/strings.profile b/etc/strings.profile
index 7dc453b1f..7d2d035a4 100644
--- a/etc/strings.profile
+++ b/etc/strings.profile
@@ -8,6 +8,7 @@ include strings.local
 include globals.local
 
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 #include disable-common.inc
 include disable-devel.inc
diff --git a/etc/templates/profile.template b/etc/templates/profile.template
index 0362b82af..4cb40027c 100644
--- a/etc/templates/profile.template
+++ b/etc/templates/profile.template
@@ -27,6 +27,7 @@
 #   ALLOW INCLUDES
 #   BLACKLISTS
 #   DISABLE INCLUDES
+#   NOWHITELISTS
 #   MKDIRS
 #   WHITELISTS
 #   WHITELIST INCLUDES
@@ -62,6 +63,8 @@ include globals.local
 #blacklist /tmp/.X11-unix
 # Disable Wayland
 #blacklist ${RUNUSER}/wayland-*
+# Disable RUNUSER (cli only)
+#blacklist ${RUNUSER}
 
 # It is common practice to add files/dirs containing program-specific configuration
 # (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
@@ -116,6 +119,7 @@ include globals.local
 ##mkfile PATH
 #whitelist PATH
 #include whitelist-common.inc
+#GTK3 only: include whitelist-runuser-common.inc
 #include whitelist-usr-share-common.inc
 #include whitelist-var-common.inc
 
diff --git a/etc/tracker.profile b/etc/tracker.profile
index d47185b1d..9030b1e01 100644
--- a/etc/tracker.profile
+++ b/etc/tracker.profile
@@ -17,6 +17,8 @@ include disable-interpreters.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/transmission-gtk.profile b/etc/transmission-gtk.profile
index 01bdeb4ef..baa970307 100644
--- a/etc/transmission-gtk.profile
+++ b/etc/transmission-gtk.profile
@@ -7,6 +7,8 @@ include transmission-gtk.local
 # Persistent global definitions
 include globals.local
 
+include whitelist-runuser-common.inc
+
 private-bin transmission-gtk
 
 ignore memory-deny-write-execute
diff --git a/etc/tshark.profile b/etc/tshark.profile
index 211f59f29..684a9491d 100644
--- a/etc/tshark.profile
+++ b/etc/tshark.profile
@@ -16,6 +16,7 @@ include disable-xdg.inc
 
 whitelist /usr/share/wireshark
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/vim.profile b/etc/vim.profile
index d27a9a633..e9a474239 100644
--- a/etc/vim.profile
+++ b/etc/vim.profile
@@ -17,6 +17,8 @@ include disable-common.inc
 include disable-passwdmgr.inc
 include disable-programs.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 nodvd
diff --git a/etc/w3m.profile b/etc/w3m.profile
index 97465baa1..5215ee6f5 100644
--- a/etc/w3m.profile
+++ b/etc/w3m.profile
@@ -20,6 +20,8 @@ include disable-passwdmgr.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+include whitelist-runuser-common.inc
+
 caps.drop all
 netfilter
 no3d
diff --git a/etc/wget.profile b/etc/wget.profile
index d402316e9..ad7a14c41 100644
--- a/etc/wget.profile
+++ b/etc/wget.profile
@@ -13,6 +13,7 @@ noblacklist ${HOME}/.wgetrc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/whitelist-runuser-common.inc b/etc/whitelist-runuser-common.inc
new file mode 100644
index 000000000..de59d03d3
--- /dev/null
+++ b/etc/whitelist-runuser-common.inc
@@ -0,0 +1,10 @@
+# Local customizations come here
+include whitelist-runuser-common.local
+
+# common ${RUNUSER} (=/run/user/$UID) whitelist for all profiles
+
+whitelist ${RUNUSER}/bus
+whitelist ${RUNUSER}/dconf
+whitelist ${RUNUSER}/gdm/Xauthority
+whitelist ${RUNUSER}/pulse/native
+whitelist ${RUNUSER}/wayland-0
diff --git a/etc/whois.profile b/etc/whois.profile
index 9af6d6843..5fea610d8 100644
--- a/etc/whois.profile
+++ b/etc/whois.profile
@@ -9,6 +9,7 @@ include globals.local
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc
diff --git a/etc/yelp.profile b/etc/yelp.profile
index acd483209..7053f98e8 100644
--- a/etc/yelp.profile
+++ b/etc/yelp.profile
@@ -23,6 +23,7 @@ whitelist /usr/share/help
 whitelist /usr/share/yelp
 whitelist /usr/share/yelp-xsl
 include whitelist-common.inc
+include whitelist-runuser-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
 
diff --git a/etc/youtube-dl.profile b/etc/youtube-dl.profile
index 19effef47..6066313a3 100644
--- a/etc/youtube-dl.profile
+++ b/etc/youtube-dl.profile
@@ -22,6 +22,7 @@ include allow-python3.inc
 
 blacklist /tmp/.X11-unix
 blacklist ${RUNUSER}/wayland-*
+blacklist ${RUNUSER}
 
 include disable-common.inc
 include disable-devel.inc